commit 8ee020991dafaeed06a01bd95717da05fb3f5ba3
author Tatiana Bradley <tatianabradley@google.com> Mon Dec 04 14:06:23 2023 -0500
committer Tatiana Bradley <tatianabradley@google.com> Wed Dec 06 16:23:29 2023 +0000
tree 4feeb0ca5dd9c604ebfddf0438a518ee2b25998c
parent 7a7755550db6dcca0be0ee471d051ec0ae964fd3

internal/report: refactor CVEToReport

Add Go ID as input to CVEToReport and refactor so that the function
calls an internal function, cveToReport, which does not depend on the
proxy. This will ease testing in an upcoming change.

Change-Id: I3560c32f84e591254d03ff26605b90357fed8a89
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/547075
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>

cmd/vulnreport/main.go

diff --git a/cmd/vulnreport/main.go b/cmd/vulnreport/main.go
index 9e92e0c..36fc7ef 100644
--- a/cmd/vulnreport/main.go
+++ b/cmd/vulnreport/main.go
@@ -537,7 +537,7 @@
 		if err := cvelistrepo.FetchCVE(ctx, loadCVERepo(ctx), alias, cve); err != nil {
 			return nil, err
 		}
-		r = report.CVEToReport(cve, modulePath, cfg.proxyClient)
+		r = report.CVEToReport(cve, id, modulePath, cfg.proxyClient)
 	default:
 		r = &report.Report{}
 	}

internal/report/cve.go

diff --git a/internal/report/cve.go b/internal/report/cve.go
index 032ade6..1f90bb1 100644
--- a/internal/report/cve.go
+++ b/internal/report/cve.go
@@ -32,7 +32,13 @@
 }
 
 // CVEToReport creates a Report struct from a given CVE and modulePath.
-func CVEToReport(c *cveschema.CVE, modulePath string, pc *proxy.Client) *Report {
+func CVEToReport(c *cveschema.CVE, id, modulePath string, pc *proxy.Client) *Report {
+	r := cveToReport(c, id, modulePath)
+	r.Fix(pc)
+	return r
+}
+
+func cveToReport(c *cveschema.CVE, id, modulePath string) *Report {
 	var description Description
 	for _, d := range c.Description.Data {
 		description += Description(d.Value + "\n")
@@ -63,6 +69,7 @@
 		pkgPath = modulePath
 	}
 	r := &Report{
+		ID: id,
 		Modules: []*Module{{
 			Module: modulePath,
 			Packages: []*Package{{
@@ -84,6 +91,5 @@
 	} else {
 		r.CVEs = []string{c.Metadata.ID}
 	}
-	r.Fix(pc)
 	return r
 }

internal/worker/worker.go

diff --git a/internal/worker/worker.go b/internal/worker/worker.go
index 4d30e58..f3d969b 100644
--- a/internal/worker/worker.go
+++ b/internal/worker/worker.go
@@ -270,7 +270,7 @@
 	if cr.CVE.Metadata.ID == "" {
 		cr.CVE.Metadata.ID = cr.ID
 	}
-	r := report.CVEToReport(cr.CVE, cr.Module, pc)
+	r := report.CVEToReport(cr.CVE, "GO-ID-PENDING", cr.Module, pc)
 	r.Description = ""
 	out, err := r.ToString()
 	if err != nil {

internal/worker/worker_test.go

diff --git a/internal/worker/worker_test.go b/internal/worker/worker_test.go
index f41341c..249ec56 100644
--- a/internal/worker/worker_test.go
+++ b/internal/worker/worker_test.go
@@ -286,6 +286,7 @@
 See [doc/triage.md](https://github.com/golang/vulndb/blob/master/doc/triage.md) for instructions on how to triage this report.
 
 ` + "```" + `
+id: GO-ID-PENDING
 modules:
     - module: a.Module
       packages: